Target IP: 10.10.108.49
Challenge Description:
Performing a port scan against the target machine shows there are three TCP ports open on the target machine, as shown above. There are FTP, SSH, and HTTP open on the standard ports.
Performing an aggressive port scan against the open ports returns the information above. The FTP application on port 21 allows anonymous login. There is an interesting directory called need_Help?, as shown above. There is also SSH on port 22. The HTTP application on port 80 also looks interesting. The target machine seems to be running Ubuntu. I will start enumeration with the FTP application on port 21.
Port 21: FTP
I connected to the FTP application using anonymous login. The directory need_Help? contains one directory called Talk_with_me, and one file called Aogiri_tree.txt, as shown above. I downloaded this file on my machine. Browsing to Talk_with_me contains two files: rize_and_kaneki.jpg and need_to_talk, as shown above. I also downloaded these files on my machine.
The file Aogiri_tree.txt contains the message above.
Using the binary need_to_talk asks for a passphrase. However, I can run strings on this binary to see the different strings used by this application.
After running strings on the binary, I obtained an interesting string called kamishiro as shown above. Is this the passphrase?
And bingo! This seems to be passphrase. This application provides another key You_found_1t.
I am guessing the key from previous image can be used to extract hidden data inside the image file. And yep. The image file rize_and_kaneki.jpg contains a text file called yougotme.txt, as shown above. I extracted this file using steghide. The morse-code content of this hidden text file is shown above. Apparently this ciphertext contains the secret directory.
Using an online morse-code decoder, I obtained the result 5A4446794D324D334D484A3558324E6C626E526C63673D3D as shown above.
Then using Cyberchef, I obtained the secret directory d1r3c70ry_center as shown above. This sounds like a web directory. Time to enumerate the web application on port 80.
Port 80: HTTP
The webpage above is displayed for this web application. There is a clickable hyperlink with the text Can you help him escape?, as shown above.
Viewing the source-code of this webpage contains the FTP hint above, which I already found.
Pressing the hyperlink from the main page displays the webpage above. This page does not contain anything useful either. The source-code is not helpful either. Time to browse to the hidden directory.
Browsing to http://10.10.108.49/d1r3c70ry_center/ displays the webpage above. This webpage contains the hint Scan me. Maybe I can find hidden directories inside this directory?
And bingo! Using gobuster, I found another hidden directory with the name /claim inside /d1r3c70ry_center as shown above.
Browsing to this new hidden directory displays the webpage above. This page has three buttons that are clickable with the labels MAIN PAGE, NO, and YES as shown above.
Viewing the source-code of this new page contains interesting information. The buttons NO and YES are using an interesting parameter with the name view to include a file called flower.gif, as shown above. However, the application does not actually include it as the image is not displayed on the page. Maybe this page is vulnerable to directory traversal and/or LFI/RFI? Time to test it.
Trying to include the /etc/passwd file outputs the message above. By the looks of it, there is some sort of filtering in place. Time to fuzz this further.
Using ffuf with the command ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://10.10.108.49/d1r3c70ry_center/claim/index.php?view=FUZZ -fs 377,378, I tested for working LFI payloads and obtained one result as shown above. This payload successfully obtained the /etc/passwd file. I had to filter the result by size 377 and 378 to obtain the real result.
And browsing to http://10.10.108.49/d1r3c70ry_center/claim/index.php?view=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd displays the /etc/passwd file shown above. This file contains the username kamishiro with the password hash $6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0. Maybe I can crack the password of the user kamishiro and gain foothold on the target machine via SSH?
And bingo! I copied the password hash of the user kamishiro on my machine. Then using john, I cracked the password hash and obtained the password password123. I have the credentials kamishiro:password123.
Now I have a foothold on the target machine as the user kamishiro via SSH. I used the credentials kamishiro:password123 to gain access to the target machine via SSH.
This user has an interesting file called jail.py. Running sudo -l shows this user can execute the command /usr/bin/python3 /home/kamishiro/jail.py as the user root. Maybe I can exploit this Python application to gain root privileges on the target machine?
The content of the jail.py is shown above. The application reads input; however, it checks for highlighted words shown above. This check is done to prevent shell breakout.
After searching on Google for Python jail escapes, I found some interesting articles. Then I created the payload __builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash') to spawn a bash shell. And using the created payload, I managed to breakout of the jail and spawn a root bash shell as shown above. Now I have a root access on the target machine :)
The user.txt flag is shown above.
The root.txt flag is shown above.